Colorado Hospital to Pay $111,400 for Failure to Deactivate PHI Access of Former Employee

A Colorado hospital is to pay OCR $111,400 for failing to terminate the access of a former employee to its online scheduling calendar, which caused the impermissible disclosure of the electronic protected health information (ePHI) of 557 patients.

Pagosa Springs Medical Center (PSMC), a critical access hospital that services over 17,000 hospital and clinic appointments per year, is required to comply with HIPAA Rules as a HIPAA-covered entity.

One provision of the HIPAA Privacy Rule is a covered entity must limit protected health information (PHI) access to authorized persons. As soon as an employee is terminated or otherwise leaves or has no longer has a legitimate work reason for continued PHI access, that individual’s access must be terminated.

On June 7, 2013, a complaint was filed with OCR concerning a past employee of PSMC who was still able to access PHI, via the online scheduling calendar, even though that individual’s employment had ended. OCR investigated the complaint and confirmed that the employee still could remotely access the calendar and did so twice on July 8 and September 10, 2013. PSMC had failed to de-activate the employee’s username and password. As a result, the ePHI of 557 patients contained in the calendar were impermissibly disclosed.

Additionally, the online calendar that PSMC used was provided by Google; however, PSMC could not produce a signed business associate agreement (BAA). Use of the calendar in association with ePHI therefore constituted an impermissible disclosure. Without a BAA, no reasonable assurances had been provided by Google confirming the company would safeguard ePHI in the calendar.

Besides the financial penalty, PSMC has agreed to adopt an extensive corrective action plan to resolve all HIPAA issues uncovered by OCR, including bringing its security management and BAA policies and procedures in line with HIPAA requirements and training employees on the new policies. During the two years covered by the corrective action plan, PSMC needs to submit yearly reports to the HHS to confirm if it is in compliance with HIPAA.

OCR Director Roger Severino stated this case highlights the requirement of covered entities to be aware who is able to access ePHI at all times, and to ensure that access is terminated when there is no longer any legitimate work reason for continued access and that covered entities must enter into a HIPAA-compliant BAA with a vendor before disclosing ePHI.